@Lukasz This one has a SRU template in comment #8. I copied it into the main description, *without* checking if this works to reproduce the bug.
** Description changed: # apt --version apt 1.2.18 (amd64) xenial - - I got myself into a situation where a repository has a Release and a Release.gpg file, but apt is just ignoring the gpg one and won't download it via apt update for some reason: + I got myself into a situation where a repository has a Release and a + Release.gpg file, but apt is just ignoring the gpg one and won't + download it via apt update for some reason: The repository in question is http://ubuntu- cloud.archive.canonical.com/ubuntu/dists/xenial-updates/newton/. See how locally I have just the Release file: root@juju-cb14ed-0-lxd-3:/var/lib/apt/lists# l *Release* -rw-r--r-- 1 root root 100K Jan 15 18:03 archive.ubuntu.com_ubuntu_dists_xenial-backports_InRelease -rw-r--r-- 1 root root 242K Apr 21 2016 archive.ubuntu.com_ubuntu_dists_xenial_InRelease -rw-r--r-- 1 root root 100K Jan 18 11:42 archive.ubuntu.com_ubuntu_dists_xenial-updates_InRelease -rw-r--r-- 1 root root 100K Jan 18 11:42 security.ubuntu.com_ubuntu_dists_xenial-security_InRelease -rw-r--r-- 1 root root 7.7K Jan 18 11:45 ubuntu-cloud.archive.canonical.com_ubuntu_dists_xenial-updates_newton_Release - Now I try an update. See how the Release.gpg file gets a "Hit:" instead of a "Get:": root@juju-cb14ed-0-lxd-3:/var/lib/apt/lists# apt update Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB] - Hit:2 http://archive.ubuntu.com/ubuntu xenial InRelease + Hit:2 http://archive.ubuntu.com/ubuntu xenial InRelease Ign:3 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/newton InRelease Get:4 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB] Hit:5 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/newton Release Get:6 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/newton Release.gpg [543 B] Hit:7 http://archive.ubuntu.com/ubuntu xenial-backports InRelease - Fetched 205 kB in 0s (395 kB/s) + Fetched 205 kB in 0s (395 kB/s) Reading package lists... Done - Building dependency tree + Building dependency tree Reading state information... Done 8 packages can be upgraded. Run 'apt list --upgradable' to see them. - And I can't install packages: root@juju-cb14ed-0-lxd-3:/var/lib/apt/lists# apt dist-upgrade Reading package lists... Done - Building dependency tree + Building dependency tree Reading state information... Done Calculating upgrade... Done The following NEW packages will be installed: - python3-setuptools + python3-setuptools The following packages will be upgraded: - dh-python dnsmasq-base python-pkg-resources python-setuptools python3-cryptography python3-pkg-resources python3-requests python3-urllib3 + dh-python dnsmasq-base python-pkg-resources python-setuptools python3-cryptography python3-pkg-resources python3-requests python3-urllib3 8 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 1,193 kB of archives. After this operation, 808 kB of additional disk space will be used. - Do you want to continue? [Y/n] + Do you want to continue? [Y/n] WARNING: The following packages cannot be authenticated! - dh-python dnsmasq-base python-setuptools python-pkg-resources python3-pkg-resources python3-setuptools python3-cryptography python3-requests python3-urllib3 + dh-python dnsmasq-base python-setuptools python-pkg-resources python3-pkg-resources python3-setuptools python3-cryptography python3-requests python3-urllib3 Install these packages without verification? [y/N] n E: Some packages could not be authenticated - root@juju-cb14ed-0-lxd-3:/var/lib/apt/lists# + root@juju-cb14ed-0-lxd-3:/var/lib/apt/lists# Somehow apt is thinking it has the Release.gpg file, but it doesn't? + This server is behind a squid proxy. - This server is behind a squid proxy. + + [Impact] + An apt update of an apt repository that does not use InRelease during the time it is being updated can cause the gpg file to not be downloaded and updated. This makes the packages from the repository be unable to be authenticated. + + The Ubuntu Cloud Archive is one of the archives that meets this + criteria. + + The impact to downstream automation deployment code is that if they are + adding the UCA repo to a system and calling apt update during the time + the UCA is being updated by Canonical, the repo can get into a state + where the Release.gpg file is not there and all package installs will + fail due to "unauthenticated packages" error. + + [Test Case] + A detailed python script was attached. + + To reproduce this outside that script you would want to: + 1. Add the UCA repo + 2. Do the following in a loop starting at 43 minutes after the hour and run it until 55 minutes after the hour: + 2.1 Remove these files to simulate the UCA repo being added the first time. + /var/lib/apt/lists/ubuntu-cloud.archive.canonical.com_ubuntu_dists_xenial-updates_newton_Release + /var/lib/apt/lists/ubuntu-cloud.archive.canonical.com_ubuntu_dists_xenial-updates_newton_Release.gpg + /var/lib/apt/lists/ubuntu-cloud.archive.canonical.com_ubuntu_dists_xenial-updates_newton_main_binary*Packages + + 2.2 apt-get update + 3. Check the state of the 3 files you deleted. If you have the _Release file but not the _Release.gpg you have recreated the issue. + 4. If you have not recreated the issue, continue GOTO 2 and continue to loop. + + [Regression Potential] + Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657440 Title: apt won't redownload Release.gpg after inconsistent cache updates made while UCA is being updated To manage notifications about this bug go to: https://bugs.launchpad.net/apt/+bug/1657440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
